Cards with magnetic stripes are to be phased out in favour of smartcards with embedded crypto chips. Signatures are to be replaced by PINs.

The case for:

Smartcards are harder to clone than stripe cards.

PINs are a more reliable method of authentication than signatures.

PINs are harder to obtain than signature samples.

It can be argued that the bank will save enough in reduced fraud losses to cover the cost of the scheme and make a significant profit. Figures from countries that have already introduced similar schemes appear to support this.

To further the list of financial incentives increased compatibility between UK and European systems reduces costs and increases utility. I think this might be a major reason this is being done which hasn't been mentioned anyone else.--King DJ

The case against:

Increasing the number of places PINs are used increases the number of opportunities for obtaining them.

PINs regularly get stolen as it is [*] - and the eventual fraud does not always involve cloned cards [*] even now; and procedures for dealing with cases where criminal knowledge of a PIN is involved are [notoriously lacking] - banks have a history of pushing the liability onto a customer.

PlasmonPerson: Initially taking this on authority from Ross Anderson, who has acted as legal advisor for people trying to recover stolen cash from banks - see paragraph on [his page] starting with "Protocols have recently been the stuff of high drama", which links to a number of references, as well as [papers][2] mentioning the subject; and Mike Bond, who runs a [site] collecting information on related cases - check out the ones that were resolved in the bank's favour. Google: %22Phantom Withdrawals%22 throws up a number of news reports on people losing money (i.e. the bank not refunding it, yet presumably not convicting them of fraud) to disputed cash withdrawals, albeit not all in the UK. (7/2/7: [Watchdog] report on instances of banks pushing the liability onto customers).

It is by no means impossible to tamper with or clone smartcards. Currently, magnetic stripe is the lowest hanging fruit, but this is about to change.

Using a PIN to withdraw cash at an out-of-the-way ATM leaves much less of an audit trail than any method of abusing signature/magnetic stripe cards currently in use.

Currently, introducing chip-and-pin will result in criminals with established procedures shifting their attention to other countries. It can be argued that the benefit seen is relatively short-term, since as chip-and-pin spreads there will come a point where it makes more sense for criminals to attack the new system than to find places that still use the old one.

The whole system is expensive. It makes business sense from the bank's POV, since at least intially overall fraud will decrease and some would argue that what doesn't go away can be pushed onto the customer (see above point about procedures). It can be argued to make less sense from the customer's POV and some would argue that the alleged benefits do not justify either the cost or the increased risk of liability for theft of one's PIN; more extremely, some would argue that the risk to the *customer* actually increases since the burden of proof in cases of alleged fraud shifts significantly away from the banks.

'DouglasReay writes that LouiseBurfleet passed on the following: When till people in shops ask customers the question "Do you know your pin?" (because if the customer doesn't the till person has to lug out all the signature stuff) a significant proportion of customers (somewhere about 25%) instead of answering "Yes" or "No", respond by telling the till person their actual pin number, verbally.'

I can't believe I missed this comment. ThudThudThud?. I think the appropriate level of security here entails padded wallpaper, and lots of DuctTape. Seriously, I would expect this condition to change as people become more educated on the new system - but there really is no helping some people. --Vitenka

The idea is for the points above to be stated in as neutral a fashion as possible, and for any rebuttals to get discussed below and on subpages, with anything new that comes to light being added as extra points above. There currently appear to be more cons than pros, but it's the significance of each that is relevant - ultimately, if one considers the tradeoff worth it for the bank and the customer it doesn't matter how many cons there are. TODO: append to each of the above points a list of brief links to references - external papers, news articles, other chunks of this namespace etc. Suggest links are labeled with a *, like these examples: *[*] etc.

Quite frankly you're all luddites and conspiracy theorists, you have raised no rational points except shoulder surfing and copying cards. I work in the software industry (as a software engineer) with my employer specialising in credit card processing.

Please feel free to put up specific questions and I will try to answer them as completely as possible.dan --Moomin

Certainly. Please rebutt the ClassBreak detailed by RossAnderson. Yes, practically everyone with a sky box had a hacked card for a long time - the only reason most don't now is that they rotate the keys much more regularly. Covering the keypad will yes, mostly protect it, though make it a pain to type on. No, we are not luddites - tech is good - but bad tech claiming to be good tech is bad. --Vitenka (Who, yes, works as a software engineer and yes, had access to the sky digibox internals last year)

To back Vitenka up here, I know at least two people who have been involved in making pirate Sky Cards, so... -- Senji

Bad grammar aside, I refer you to "Secrets and Lies" by BruceSchneier (ISBN 0471253111 ), and RossAnderson's web site. Generally, it is very unwise to say that anything is "impossible", because very soon someone will find a way to do it, create an automated hacking tool, and sell it for £2000 each to the country-wide criminal population. The thing that I find most unsettling is that currently banks will pay you back if someone forges your signature, whereas when a criminal uses your PIN, you don't have a chance. I also have worked as a software engineer on computer systems that handle card transactions, and I have to agree with RossAnderson when he says that the whole system is royally messed up from a security standpoint. As far as I can see, card security relies much more on detection and response after the fact than on prevention. This works, because people get caught. However, a PIN will render much less information useful for detection than the current system of signatures. The criminals that put false fronts on cash machines probably only get caught if they return to the machine to move their equipment, or if they use the same machine with their cloned cards for too long - the system itself doesn't prevent the crime, but the database pattern-spotter programs trigger the arrests. This is why I'm displeased about turning shops into cash machine terminals, because you lose the attention payed by the shop-keeper to the cardholder. --Admiral

Ok lets ignore the tecnology for a moment, and talk about liability, who at present is responsible for all liability on fraudulantly used CreditCard? numbers ? the bank. Come the first of Jan 2005 all this liability (on customer present transactions) will move to the weakest (bank term sic) link in the chain so if the retailer does not have EMV complient hardware it is their responsibility and on up through the chain of aquirers and issuers. No one is saying that the liability will be with the customer, but admitadly this is a brave new world and I cant say for certain that fraudulant pin transactions will be contested by retailers / banks ?? Im not saying for one second that this is tha cream da la cream of solutions . . . . Im sure we can all think of more secure ways of verification.

We also have to consider the current cost to the banks 430 million pounds last year . . . and that is likely to increase exponentially as long as the current system is in place, but the ammount of that figure that is applicable to cloned cards is fairly high, as it is that safest way to conduct fraud (eg no need for a delivery address associated with your self) so yes everyone here is correct saying that the fraud and organised criminals conducting the fraud will move there attention to less secure areas such as customer not present and fraud in other contries where smart cards and EMV is not yet implemented. I have to take issue with someone else at this point who stated that this technology is allready in operation in other contries this is just not true . . yes France have a smart card CC set up but it is not EMV and works more on the ATM style with pin's flying around the ether over X25 lines. The UK will be the first country in the world with this technology. The UK is also one of the first to persue a new standard called verified by visa and mastercard secure code, these are online PIN initatives but are currently not mandatory for either merchants or cardholders, but Im sure that day will come.

Thirdy lets address the security side once more, the keys inside the terminal are physically locked down (eg if a terminal is opened all the keys are wiped. the data traveling between pin pad and card reader if in a seperate unit is encrypted and the line (physical wire) it is transmited down is rotated. I for one will feel a lot more secure using a PIN rather than signiture, so Ill have to keep it safe (people should be doing it now) at least I know someone / something is checking it rather than a shopkeeper who is happy to take CC slips with mikey mouse written on them.

As regards the card terminal being locked down - that doesn't actually matter to the criminal. In the past, employees at shops and restaurants have cloned peoples' cards and bought things with them. The banks quite quickly notice that a whole heap of complaints come from people who have all visited the same shop, and they catch the culprit. So, the criminals came up with a new idea - clone the customers' cards, but don't actually charge them. Give them a free meal, and then use the cloned card in a month's time. Then the bank doesn't have any record of the customer visiting the shop, so they have no pattern to follow. Therefore, the criminals in this case can take an official card terminal, rip out the innards, and replace it with a card cloner and PIN recorder. The fact that this machine cannot actually communicate with the bank is beside the point. --Admiral

One final point further down this wiki someone stated that his bank had said that he would not have to use PIN, if he doesnt then the number of retailers willing to take his money will diminsh very rapidly next year, the only exceptions are disabled people who will be allowed to continue to use a stamp as they currently do. --Moomin

I think you misunderstand my statement. I assert that my bank told me that shops will accept me trying to use a signature instead if I tell them that I want to. Now this leaves a couple of possibilities: Either my bank is clueless (at which point one is very worried), or the ChipAndPin system is completely useless, as a criminal can just steal a card, then use it in a shop saying "I'd like to use a signature instead please", (at which point one is also very worried). --Admiral

Admiral you would be surprised at how stoopid some banks are (especially the crap little ones like llyods tsb, and girobank) and also consider (please dont take this as me sticking up for them) but how would you go about diseminating this information to all your workers in a call centre in India

I walked into the local branch of my bank - the cooperative bank (which prides itself on being clever and helpful), and spoke to the senior advisor. It worries me. And now for a quote from Matthew Crosby - "I work for an investment bank. I have dealt with code written by stock exchanges. I have seen how the computer systems that store your money are run. If I ever make a fortune, I will store it in gold bullion under my bed." --Admiral

!!! I find the out sourcing of call centre jobs like this both terrifying and incredably annoying, how is someone in a foreign country who will never earn enough money to visit the UK have any idea about how to help me with my overdraft or find the nearest taxi company to the odean in leciester sq . . "leicester what she would say ?" adn I would have to reply in the american vanacular lie ces ter sq, and then probably spell it and then spell odean . . . bloddy de regulation of 192 I dont give two hoots if it was a monopoly before it worked and we all new what it was going to cost !! sorry rant over --Moomin

Actually, one would assume the [liability shift] will mean either you or the shop are liable in such a case (liability goes to the link not using ChipAndPin. Whose decision was it - yours or the shop's? One assumes the bank doesn't care, they just stand back and let you argue it out). Which means at best shops will very rapidly change their minds about letting you do this sort of thing, no matter how often your bank claims it isn't actively preventing shops from doing it.. - MoonShadow

Oh, don't be a fool. Of course it can't be the customer's responsibility, and there's nothing on that page to suggest that it might be. - PlasmonPerson

Uh, hello? We're discussing the customer choosing not to use ChipAndPin? How else do you propose to parse the definition of the liable party on the page linked? - MoonShadow

It's a page addressed to shop and business owners. It reads 'the liability for fraudulent transactions at the point of sale, where PIN could have prevented fraud, will shift to the non chip and PIN enabled party.' It's intended to get shops to switch to the new system by pointing out that if they are not enabled, they are the non-enabled party, and so are liable.

So, taking this statement to its logical conclusion, if a shop lets you pay using a signature then THEY are liable for any fraud on that transaction; there is no concept of customer liability, if it can be proved (I don't know the criteria) to have been a fraudulent transaction. --Moomin

What they heck do you mean about it being the customer's responsibility anyway? If it is fraud, the customer won't have been there, so can't have chosen anything, so how can they be liable? Duh.

Hm. That's actually a jolly good point. Guess it rests squarely with shops that let you do that, then - the rest of what I said still stands; shops ain't gonna want to let you do that, whether your bank tells you it'll let them or not. - MoonShadow

Also point out again the multiple anecdotes of customers having a hard time getting bad charges reversed. Banks don't have a terribly good reputation on this sort of thing. Then again, the PluralOfAnecdote is not data. --Vitenka

Agreed. I dislike it, but both supermarket chains locally are in the process of upgrading this month (April 04) --Vitenka

All supermarket chains will be up and running by the jan deadline as will all really small shops with bank rented terminals, leaving only tier 2 retailers who will be the last to implement, but the worst hit by the fraud move --Moomin

Hi, and thank you for a real rebuttal. I shall have to look into the technical differences between the french system and the english one. I agree that the problem of fraud is expanding nd that something needs to be done. I disagree that this is it. What you are saying is that it is hard to have the box that you put the card in compromised and still able to talk to the bank. I agree that this is reasonably acheivable (not having seen their tamper resistant cases, I seriously doubt that they'd stand up to persistent attack for very long, though, without also needing their keys reset after every power cut)I don't think this is the issue though - a normal person doesn't have a cryptogrpahically secure stream to verify, and wouldn't know how to if they did. All they see is a box. Is it a real box that sends their data to the bank, or is it a bad box that steals their PIN and then passes the details on to the real box which is inside it?Again - we are protecting the bank, but we are not protecting the customer. That is the problem I have.

The bank is protecting the bank, there is no consumer protection here otherwise the interest rate would be much closer to the base rate of just over 4% --Moomin

And as for moving on to other frauds, I would think the obvious target of attack is card-holder not present. In fact, I think I saw figures a while ago that this had outpaced vendor fraud. So why are they spending so much money to tackle the lesser problem?

like I say above there are plans for new CNP (cust not present) verification in addition to the csc (3 digit code on the signiture strip) and avs (address verification system) where people will only deliver to the CC's billing address. Have a read about vbyv (much more my area of expertise) once again its not a perfect solution but it will work eventaly --Moomin

Especially since systems such as one-use digital cheques have existed for a while now. --Vitenka

Yesterday, I received a letter from my bank, telling me of the wonders of the new ChipAndPin debit card they were going to send me.

(Note that future chip-enabled ATMs would substantially reduce the number of criminals with the resources to clone cards, a mag stripe reader/ writer is cheap, I don't know how expensive it is (if at all) to modify it for bank cards, whereas a device able to fiddle even the weak chips on debit cards is rather more... arcane, and has no legitimate mass market purpose. The legit chip readers aren't suitable for cloning)We've been [NTK'ed]...

And NTK gets it bang on the nail. This system reduces fraud by forcing would-be small time fraudsters (you see a few in a city magistrate's court each week) to radically change their MO. Yes they can obtain your PIN through any number of practical and entirely comic book means, but the card needed to use a PIN is only "trivial" to copy if you're a multi-million pound operation, not some kids putting £30 at a time through the Safeway's till. So they'll have to steal the original. A few of them will turn to pick-pocketing or mugging, get picked up and do some jail time. Most will look for other ways to get £30 easily.

From the big stores point of view this lets them take their low paid staff out of the security loop (who is standing next to the dodgy looking boy in the magistrate's court? it's his checkout girl lover from ASDA, she put the stolen numbers through the machine), once ChipAndPin is deployed widely they can make non-PIN card purchases (which will still exist for various reasons) a supervisor-only activity. The supervisor has more to lose from getting caught, and is perhaps too old for drug-addict boyfriends.

Arguments against ChipAndPin's success elsewhere on this site seem to revolve around the idea that fraudsters will just go elsewhere, but that's actually an argument in favor of its introduction in the UK, as otherwise we'll become a target of fraud (and associated criminal activity).

Good summation of this pages arguments. If we ignore for a moment the inevitable problems during the transition then I still have a problem with the end results though. First - if chip and pin is good for banks, the reasoning will go, it is good for student id and TimeCards? and everything else we currently use a magstripe for. So the kit to read and write them will become (more) common. Do you not recall exactly the same "No one will have a card writer" arguments being used for mag stripes?

Smart card writers are freely available on the open market for around fifty dollars today. [I'm linking to the readers, google will easily show you the writers, though] What SmartCard?s can (not do, not everyone uses this ability) make hard is to change an existing card. Secondly, the prospect of a cash transaction being made rare and difficult scares me. And those low paid people are still in the loop, they just have anew machine. --Vitenka

The purpose of ChipAndPin is to "reduce fraud". However, the definition of "fraud" in this case appears to be when a bank has to pay the cardholder back because they admit that someone accessed your account illegally. Therefore, the purpose of the ChipAndPin system is to reduce the likelihood that you can convince the bank to pay back money that someone else spent from your account.

Also, it makes it trivial to collect enough material to access such an account. All you need to do is shoulder-surf someone, or wiretap or otherwise fake the keypad, then point out the person to you friend, who mugs the cardholder. If they can steal the card without the cardholder realising, all the better. Then you have both the card and the PIN, and you can withdraw money from a cash machine. Then, of course the bank will assert that either the cardholder wrote the PIN on the card, or accessed the account himself, because "the system is secure", and refuse to pay the amount back.

Therefore, I am going to let my bank know in no uncertain terms that I am unhappy with the situation.

Does anyone know of a bank that is still issuing normal debit cards? --Admiral

Amex are the slow coaches (on some of their cards) I have an amex gold that wont expire till 2009 and that has no chip on it, or you could get a card from an american / european bank as they are behind the UK, but all switch / electron cards will be smart cards and obviously a foreign debit card will be of little use to unless its a maestro one --Moomin

Evil evil evil EVIL things. The main use of having a signature slip was to get a fingerprint impression of the user. That way, when caught, you have proof that someone used the card illegally.

Also, using the same PIN as your cashpoint pin seems to open up a big hole.

Evil. Stupid. Just because it's a chip it's secure. I think not. IIRCRossAnderson thinks not too.

Still, they have to be seen to be doing something.

The problem is, of course, that your average punter can't do PublicKeyCrypto? whilst in a queue. I mean, even us mathmo types need pen and paper... And anything short of that is stealable.

When I first heard of ChipAndPin, I optimistically thought of the following scheme: the smart card is smart enough to compute RSA signatures, and contains a keypad, a tiny LCD, and a private key for which your bank has the public key part (your bank need not even have the private key, although in practice they probably would).

Swipe the card (or some other retailer -> you data transfer mechanism), it receives a payment request and shows you how much you're about to pay (so you're not "signing a blank cheque"); type the PIN, it signs the request with your private key, swipe it again (or other you -> retailer transfer mechanism) and it sends the signed "electronic cheque"; the retailer can then send that to their bank and potentially get instant confirmation that you've paid the desired amount.

I seem to remember seeing credit-card-sized solar powered calculators quite some time ago, so I suspect this is technically possible. Voila, an average punter doing PublicKeyCrypto? in a queue. Sadly, as far as the average punter can see, this seems no more secure than the cheaper ChipAndPin-as-implemented; it's not immediately obvious that it removes the need to trust the retailer's equipment. --SMcV

Personally, I am working out my weekly budget and will withdraw cash from the bank every MondayMorning. --Vitenka (Yes, I'm aware there's no real advantage to doing this, but I feel like doing it anyway)

If I am forced to use one of these cards, I will specifically ask each shop I enter whether they use the ChipAndPin system. If they do, I will politely explain why I don't trust their keypad, and walk out. You can always get stuff from somewhere else, and it would kind of send a message. Anyone fancy joining me? --Admiral

Sadly, unless a very large number of people join in, it's too late. It's a done deal. Shops are saying that every shop will be moved to ChipAndPin by Christmas. --Vitenka

Well, they will have lost my business then, won't they. There's always the market and Daily Bread. --Admiral

No. If you have to not use a card then you can use any shop equally. You're just boycotting every shop which requires cards. Which is, even for my irrationality, a step too far. --Vitenka

So the problem is that the banks have conspired with each other to all introduce the card at the same time, and to switch all shops over to the system as quickly as possible, to avoid the possibility of a group of people boycotting a proportion of shops or banks that is far from none or all, therefore reducing the impact that any given boycott could have had. Therefore, there is a small window of opportunity for a boycott to be effective - between the time that the first shops start using the system and the last shops are converted. The only way such a boycott will work is if a large proportion of the population takes part. The problem is that the majority of people do not understand why the system is bad for them. They trust the banks to work for them, and the banks have told them that the system is good. Does anyone know of any way to persuade a large proportion of the population? Write to Watchdog? --Admiral

Become a politician or news reporter ;) Seriously, most of the population thinks it a slightly annoying but obviously good thing. Small shops are getting their replacement units for free. Supermarkets will of course switch en-masse, but they are holding out for longer. Damn it - they could easily have made the jump to full anonymous secure electronic cash. But nooo, we get a half hearted less secure system instead, purely because the banks like to attack the problem they can see rather than prevent all problems - and because they are getting better at PR. --Vitenka

I would be most interested to learn what RossAnderson is doing about this affair - even if he has a card at all, given how bad he know the system is. Maybe I'll send him an email. Of course, the banks have lots of money and a very good reason to pay people to keep quiet, so there may be quite a bit of opposition to publicity. --Admiral

I am not convinced that it isn't more secure for the customer. At the moment, if someone steals your card, they can use it all they want because shops that check the signature properly are rare. With the new system, if they don't have the number, they can't get in. Assuming you make sure that no one is looking over your shoulder as you type, how will they get that?

Read the debate above, it covers all your points. Basically, the assumption you are making is actually a bit of a big assumption. A lot of money is getting stolen from ATM""s by shoulder-surfers right now. Bear in mind that the security of the present system, for you and me, does not come from the signature - it comes from the fact that the credit card company covers losses after the first 50 quid stolen; given a duff transaction on your credit card bill, you just call them up and say "hey, I didn't spend that!" and they give you the money back and start an investigation if they consider the loss big enough. The mechanism here is detection+reaction, not prevention. Now consider what happens when you get shoulder-surfed with a chip+pin system: "Hey, I didn't spend that!" - "Well, you must have done, 'cos the system isn't like the old signature system - it's secure. Now we're gonna sue you for attempted fraud." Certainly the system is more secure as far as the bank is concerned - they lose less money; but is it really what you, the customer, want? - MoonShadow

Just to point out, BTW that although the bank may cover the loss, you pay in the end, one way or the other. --Vitenka

I don't think it's a big assumption that you can stop people looking over your shoulder. A quick look around, a hand over the keyboard, all the stuff you should be doing at cash machines anyway. If people are careless and let people see them typing, you can't help them. So don't you do that.

It's blummin difficult. I think that the machines could be designed a lot better for that. But that's not the point, handheld machines are suspect. And it's not traceable which machine did the stealing, they can wait ages before using the details. --Vitenka

(thinking about them hacking the keypad at a shop is paranoid: there's no way to do it in respectable shops, and with dodgy shops there's already the danger of them reading the data, putting it on a fake card, signing it, and then using it happily).

You go to a restaurant. You eat your meal, and ask for the bill. The waiter serves you a bill on a nice silver plate. You put your card on the plate, and some random person who just happens to have been serving you all evening wanders up, sticks your card into some fancy-looking machine, claims it is one of the wireless card handling machines, and asks you to type in your PIN. --Admiral

I'll point out that these card cloning handhelds exist and are in use already. It won't be terribly hard to add a keypad - and it's one thing to make a copy of a card which can then be used for telephone shopping, and quite another to make one that can withdraw from a cash point. --Vitenka

Agreed, supermarkets and other fixed emplacement are much safer than smaller shops, for this sort of thing. But um, basically, yes. Signal quality is generally low, but you're sure to find one or two shops with ill-placed cameras that show the typing. The tempest was mainly a rebuttal of the 'black helicopters' view. I'm just pointing out that this is in the realms of reality, and can be done. And it will only get easier and more efficient over time. --Vitenka

So, from a fuzzy picture they're going to be able to work out the number typed by someone taking care not to be overseen? It's in the realms of reality in the way the neutron bomb is: theoretically possible, but it'll never actually be used. If I started worrying about things this likely I'd never go out of the house. There's a line somewhere where you have to say 'that's unlikely enough that I'll not worry about it'. I mean you could get hit by a meteorite bearing proof of life on Mars. But you probably won't.

*shrug* People have been doing things on a similar level of complexity with ATMs for years. Why stop now, just when you can do so much more, so much less traceably, with a stolen card and pin, and there are so many more points of attack to choose from? - MoonShadow

So there's no new dangers, and an old danger is lessened. It's not perfectly secure, but what is? It is, however more secure than the current system.

Swapping out the machine is the main danger, and is already a danger. The main objections to making this change are two. Firstly, the practical one that they are spending a bunch of (our) money and not making the system significantly better, and in some ways worse. Secondly, that they could have made it so much better, just by listening to people like RossAnderson and making a better system in the cards firmware. --Vitenka (the second one is kinda a geeky objection)

Unlike MoonShadow, I think we now basically agree, as opposed to basically disagree ;) --Vitenka

For whom?

Well, it seems that the danger of me having my card stolen is lessened, as it will be much less use without the PIN, which I won't let anyone get hold of.

And any time I put my card into a card reader it could be cloned. But you know what? Most - almost all - shops don't do that. And won't do that. This danger from the new system is not significantly more than the old, and in other ways it's safer.

It's not the shop, it's a single clerk at a shop. I agree that the risk of being cloned isn't any greater - but the damage a cloned card can do is significantly increased. Before they could mail order stuff - now they can withdraw cash. Cash is a bit harder to trace than mail order goods (which, after all, have to have a pickup address) That means the risk to the cloner is reduced, which means more people doing the cloning. Also, as has been said, the banks will turn around more often and say "No, it must be your fault." Which will be a bummer. --Vitenka

There, you might have a valid point. Paying by cash seems a good idea in dodgy shops which are likely not to have as clear an idea of what their staff are doing. But it's not a hugely significant worry, is it? I mean, look at the situations: before, you were in danger from muggers and pickpockets who could nick and use your card, and also from cloners in dodgy shops. Now it's just cloners. Reduction of risk.

No reduction from a mugger, if they are stealing your wallet, they can force you to hand over a PIN?. And they can check it on the spot easily enough too. --Vitenka

Well, a little reduction: how many muggers nowadays demand PIN numbers, even though they're useful? But no, it doesn't totally rule out the mugging.

Before, you were in danger from pickpockets who could nick your card and use it to buy stuff from shops, leaving a trail of people who've seen their faces. Now, you are in danger from pickpockets who can nick your card and use it to withdraw cash anonymously from an ATM, leaving no audit trail other than one that the bank can use in court to demonstrate that *you* were the one who drew the cash - using all the arguments you use elsewhere on this page. The criminals can get more out of it, with less risk to themselves, so they will spend more time thinking up ways of nicking your PIN; and the number of places where they can try and observe you using it has vastly increased. - MoonShadow

They can't do that unless they also have got my number by one of the implausible ways you've been suggesting (amazingly accurate backpack-mounted steadicams, hacking CCTV systems, hiding and positioning cameras without anyone getting suspicious that they're a shoplifter or something) or have an accomplice who is able to swap the scanner device for a modified one without any of the shop's management catching on, who they are also able to communicate in time for the accomplice to tell them which customers' cards to lift.

We seem to be going round in circles. Oh, well - guess I'll just have to wait until the first stories start appearing in the newspapers before you're convinced. -MoonShadow

I'm convinced there's a danger. There's always a danger. I'm just not convinced it's significantly more than the current situation. Everything is insecure. These are more secure in some ways, less in others. But they're not the end of the world.

I hypothesize that muggers don't often demand PINs because they don't really need to. If they do start to need to, then they will. I don't think mugging is a terribly important issue. --Vitenka (Will reply to MoonShadow once I sort out the edit conflict evilness)

Anecdote I remember from security lectures: Once upon a time, a security courier company decided that far too many of its vans were getting hijacked at gunpoint, resulting in the loss of the van contents. They thought about it for a while, and decided to arm their drivers/couriers. The result: instead of the drivers being abandoned at the side of the road while the hijackers drove off, they hijackers would shoot the drivers right at the beginning of the encounter. Whoops. They would have been better off investing in some armour plating and bullet-proof windscreens, and a tamper-resistant van tracking system. --Admiral

How about making people use a different PIN for buying stuff and for withdrawing cash? - MoonShadow

I had assumed at first that this would be how it was. But no, that was too sensible. And I still object to it. It is trivial to steal a number, it is hard to steal a signature, and a signature leaves fingerprints which gives an ability to trace and punish. A number is nice and anonymous. --Vitenka (It's as worthless as those 'security' numbers on the back of the card - use once, steal anywhere)

You may be entertained to hear that in America,the pad one signs on is now a digital touch-sensitive thing with a stylus. No more fingerprints from signatures there. --AlexChurchill

And for novelty SlashDot? has discovered [some people] who made a decent profit by discovering and dismantling ATM card skimmers. I am amused. --Vitenka

Surely those pictures have got to be faked? I mean come on, who'd want to go to the risk of physically going to an ATM to attach equipment to it when they can just launder stolen credit cards through a perfectly impenetrable front company? And surely if a crime syndicate is tech-savvy enough and can afford all the equipment to boot, they can just go into porn, spam and hacking online store databases to steal credit card numbers instead? ;);) - MoonShadow

People have suggested that the people planting the equipment would have made more money just selling the shiny camera equipment to wannabe SecretAgent?s. --Vitenka

That particular one I linked to was quite a complex bit of kit - trigger on motion, send pictures wirelessly etc. Agreed you can pick it up in retail, the point is that you probably make more profit selling them than you do trying to use them that way. Especially if they get nicked by investigators ;) --Vitenka

Indeed. People should take note. Oh, there's been one in Cambridge now, according to [cam.misc].. - MoonShadow

I went and talked to my bank yesterday. They assured me that I would be able to use a signature instead of a PIN whenever I want. Does anyone else see the problem here? --Admiral

It renders the exercise even more pointless than it already is? - MoonShadow

Umm, at present there are loads of chances for fraud anyway, using online stuff. Using my card I can ring up and ask for things, or fill in online banking forms and don't have to sign or use a PIN. I have here at work a long list of customers card details I could take on a shopping spree to Amazon right now if I felt like it, but I get paid not to do so.

That waiter you are talking about can just go out back and write down the number, sort code, expiry data, card type owners name etc, then go spending. --Zebbie

This has been answered, I think on this page (although you could be forgiven for not finding it). The difference is you have to tell Amazon/etc where to send your goods - they'll have a delivery address on file. No such thing exists at a cash machine. (Admittedly this answer is getting less and less satisfying as more and more purchased items are purely electronic with no physical reality, but currently it still holds some water...) --AlexChurchill

Yes indeed (and WelcomeToWiki!) - the problem is that they are opening up more opportunities for this sort of thing, whilst saying that they are making it more difficult. They are also reducing how traceable it is. The situation as it stands is far from perfect, and something should be done - yes. But not this. Or at least, not just this, and certainly not claiming that this is the end of it and thus any fraud is now the users fault. --Vitenka

Which you have not, so far as I can tell, shown is the case. I believe that such a reversal of the burden of proof in a court would require legislation. --SF, who isn't involved in this argument, but you never did answer this...

Support for this position has been given repeatedly during this debate (see the many, many places where Plasmon / ChiarkPerson asks this question over and over again and it is answered, over and over again). If you don't want to wade through the masses of text above and in subpages (I don't blame you, they are badly in need of refactoring - if only to remove all the duplication), [Chip and Spin] has a summary of the salient points, the PDF linked from that site contains references to support the points they make, and Mike Bond's website - or even a simple Google search for "phantom withdrawals" - amply demonstrates current bank/court precedent on allegations of fraud involving the use of a PIN. - MoonShadow

British law has been changed to shift liability to the "weak link," and the burden of proof has never really been in the right place here anyway. --Admiral

Just forcing it to court is a massive increase of your liability. And no, they might not do it. But they now can - and it seems that when a business can save money by messing with people, it will. So no - I've not proved that things will become worse in this manner - but balancing "This is the potential downside" against "The bank says it won't do that" gives a very poor result, to my mind. --Vitenka

My understanding was that if a customer wanted to use signatures, the shop had to let them - but has been seeing signs saying "Chip and Pin only" - which was obviously going to happen. Isn't this against the agreements though? Then again, said shop chain is also saying "No scottish notes" which is AFAIK illegal... --Vitenka

Not convinced. I thought Scottish notes weren't legal tender, so there's absolutely no obligation for shops to accept them. Isn't it only BankOfEngland? notes that are completely legal? --CH

They can say "no notes" if they want to. LegalTender? is only an issue for the specific circumstance of settling a debt. -- Senji

Really? That's mad. At what point have they agreed to sell me the goods and incurred the debt, then? --Vitenka

As someone (don't think it was me) predicted, a large number of shops now have pads permanently displaying "Tamper detected" - making the warning meaningless. --Vitenka (who has managed to avoid using a pad thus far)

Really? I've yet to see one --Edith (who despite the risks uses his Chip and Pin quite merrily on a daily basis)

Maybe it's just lazy people locally. And also - [Wireless chip and pin] - need I say more? Well, I will, anyway. I saw this at a restaurant. The main worry is how easy it would make using a fraudulent terminal that looks real (say - siphons off a tenner each time) given that you could have the wireless comms completely secure (it reconnects to the base periodically for recharging). But I will bet money that they aren't. --Vitenka

[Chip and Pin Mandatory] - as predicted. Although I didn't think this would make the news, seeing as shops have for some time now been (illegally?) turning away people who are pinless. --Vitenka

Cut the bank's fraud costs, at least. But one of the concerns voiced on this page is that banks might push the costs of fraud onto their customers, and that isn't addressed here. --Edwin

Any reason to think that's happening?

Tescos have decided to cut across the whole issue by letting you pay by card at their self-service checkouts with no authentication whatsoever. It worries me a bit, and I hope they at least require some if you spend more than the <£10 that I typically do. --Edwin

That's pretty odd - mind you, it'd be easier to just walk away without paying at all than to fraudulently pay, so it might be a sensible priority decision. --Vitenka

Not so sure about that. They have one member of staff watching ~4 self-service checkouts, so it'd be a bit hard to walk away without paying. But I doubt they do require authentication, because Tesco petrol stations are one of the several petrol stations that now let you pay at the pump with a credit card without any auth. I think British Rail self-service ticket machines are the same. Cancel your cards ASAP if you lose them, people. --AC

That's what I meant - they have a uch larger security hole (people walking off without putting their card in at all) to cover first, before they worry about authentication. I'm surprised that the banks allow this, since they introduced ChipAndPin and forced everyone to switch over to it. --Vitenka

Rail ticket machines no longer allow you to buy without a pin. They got upgraded 3 months ago at Cambridge and Kings X --Edith

My local Tesco has also covered up their pay-at-pump machines with big plastic things saying "Please pay at the kiosk". Before they did that, the machines had been disabled since (roughly) Feb 14th. --CH

I believe that Tesco's model is that it's easier to absorb the cost of fraud than to try and do authentication properly on unmanned terminals. If you try and spend more than (IIRC) 50ukp unauthenticated then you have to wait for the assistant to do the C&P dance with you. -- Senji

That seems particularly mad - since ChipAndPin would seem ideal for unmanned terminals (see, for example, ATMs.) - if it has any advantages over signature, that would be a big one. --Vitenka (Mind you, you can still catch people who're looking it up on a piece of paper or whatever and ask them not to.)

What you can't conveniently do is stop people from trying dictionary attacks on cards with them -- the traditional "three strikes and you're out" model doesn't work when there're, say, 50 unmanned C&P points (plus as many ATMs) in a conveniently small area. I don't know if this is an attack model that TESCO are considering, but.... Also, thinking about it, I've not seen an unmanned C&P machine that can actually confiscate your card... -- Senji

Isn't that because the chip locks itself after n failed attempts, so you don't need to rely on anything external to the card to do that? At least, I *assumed* that was the idea.. C&P is even suckier than I thought if not. - MoonShadow

Like everything to do with CnP? - it could be secure. But it's not. --Vitenka

My Dutch card locks itself after 3 failed attempts from any combination of sources, even my home handheld thingy that runs on batteries.--King DJ

If people are opposed to being pinped, just use cheques. You get to sign and oddly get respect from the counter staff, and if you are at Tesco's they print out the cheque, so takes about the same time. --Garbled

Cheques are on their way out - companies say they're too much fuss - banks want to close another loophole. You cannot use cheques in, eg. 'Game' any more. --Vitenka

Cheques are practically unabolishable, at least without wiping out many small traders and mail-order companies. Plus they're the only legal way of sending money through the post to private citizens (excepting that small percentage of private citizens with credit-card handlers). And some people still get paid with them -- Senji.

Online cash transferral. Plus people DO send money through the post, despite it being a bad idea. (And postal orders exist, though they're basically cheques with knobs on) Lots of companies don't accept cheque as payment of postal bills any more - those that do make it as hard as possible and add discounts for direct debit. It won't die for a while - but it's on its way out. And if it takes out hobbyist retailers, well - I can see CrocodileTears? in the banks future. --Vitenka

It's not just a bad idea, it's a breach of your contract with the RoyalMail :) (Unlike in the US where it's actually PrimaryLegislation? illegal). Things I've recently used cheques for include milk (where the only other available method of payment is leaving about 20ukp outside overnight in cash), MailRedirection? (where the cheque counts on the "awkward" list of authentication documents), and notably my Solicitor. Online cash transferal requires (a) online banking (b) paying a fee (often), and is hence bad. -- Senji

The fee would, I think, be the whle reason bans are pushing it. And companies love the "We will redeem our whole debt in advance" feature of DirectDebit?. It's a bad thing, but it's happening. --Vitenka

Does this mean that the money was being syphoned off by ordering stuff over the internet using the card no., by cloning the magnetic strip or by using the cards to authorise payments in addition or instead of the payments to Shell? I'm confused.--King DJ

Banks are cheapskates. To save a few cents per card, rather than doing crypto work itself, the chip on the current generation of cards sends what happens to be enough data to make a valid magstripe to the terminal. The crooks simply arranged to listen in on this and the typed-in PIN, then later write the magstripe data onto a blank card and use it in ATMs that still accept magstripe cards - such as ones abroad - to withdraw cash. This precise attack was predicted back when C&P was still in discussion, but the pro-C&P camp dismissed it as impractical. - MoonShadow

The vector was: Tamper with the shell card readers. Those then steal the card number / mag stripe data (and since they are tempered with, can just as easily steal the pin, too...) Using that info, you then steal however you like - in this case, using foreign ATMs (which accept non-chip cards, which are easier to make.) The shell transaction goes through as normal, the tampered devices were just skimming the numbers off for later. --Vitenka

Although do note that they could as easily have not passed on the transaction and instead given the customers free petrol; this would (a) have reduced the amount of information for investigators to trace/correlate, and (b) once Shell investigated and a precedent for banks paying cash back rather than claiming attempted phantom withdrawal fraud got set, provided everyone in the UK with the opportunity to plausibly deny large transactions on their own accounts and claim they'd been defrauded at a Shell petrol station, regardless of whether they'd ever been inside one in their lives. - MoonShadow

In addition: This attack is not limited to shell (although this instance of it seems to have been). any time you can tamper with the card readers you can perform this (or a similar) attack. --Vitenka

It does probably require a social attack to get at sufficient PoS? terminals to make it worthwhile, of course -- Senji

It does, yes - and the cards that are used can be traced to the terminals (as happenned here) - but if you wait long enough before using the cloned cards, spread the usage... you could get away with just breaking one unit. Which a clerk could do. So we're back to the same setup as before - badguys bribe shop workers into letting them tamper with the machines. --Vitenka

Abroad? Late or never. The US, in particular, has no plans whatsoever to switch away. A number of european countries already have established chip systems incompatible with ours, leaving magstripe as the only option. UK banks have no plans to disable withdrawing cash abroad and provide separate magstripe cards for travellers AFAIK. My personal preferred solution, of course, would be to force the use of different PINs for store terminals and withdrawing cash; I suspect people would generally prefer the risk to the inconvenience, though. - MoonShadow

What happens when icky foreigners (such as myself) bring their magstripe cards into the UK? Will I be able to use cash machines / pay at stores? --K

Mostly, yes. I have seen some C&P terminals that don't have magstripe capability in the wild, but very few; major chains such as Tesco have invested into brand new combination readers (of the slide card past magstripe reader into chip reader variety), ATMs retain magstripe capability, and most small shops still retain an imprint+sign fallback for when the equipment fails - as it often does; so no changes there. If there are any longterm plans to phase magstripe out, they are not yet public. - MoonShadow

Short of having a seperate PIN having a UK (and compatible) card that says this account has no mag-strips so the bank can say who do you think you are trying to withdraw cashing using a mag-strip from it. Then you can charge extra for the "international" edition which would hopefully identify itself as a different card.--King DJ

That's FAR too sensible. Much easier for banks to require you to phone them weeks in advance of going abroad - and probably soon finding you liable for any fraud if you don't. --Vitenka (still miffed about Barclaycard - it's none of their business where I am, if I want to use it abroad I should be able to, haven't they heard of the internet and anyway I never get that much notice...)

Someone was sayign the other day that they'd been issued with a stripless card, but I can't remember who it was -- Senji

My Dutch card has a bit of green colouring where the strip should be but I don't know if that just a different coloured material. I've never used it in a swipe machine though the supermarket checkouts appear to have some form of swipe capability. Instead for things like parking machines that aren't connected to the internet you have Chip-Knip which is a small separate amount of insecure money that I put on the card that doesn't require PIN. Much more sensible than these railway ticket machines that don't seem to require any ID at all (though fleecing you through one of them is of limited value). Oh and Barclay's sucks, though none of the banks I've spoken to will let me open a new bank account as I can't prove I'm me to their satisfaction. HSBC is supposed to be better though.--King DJ

Counterevidence for the argument that large-scale cash withdrawal from ATMs is impractical:

Security (Note, most of the unsigned comments are from the same person - gw.plasmon.com, so it's a running discussion here, not a set of unrelated objections.)See also CategoryShoppingIs there, somewhere, an in-depth description of how the chip-and-pin system actually works? I'm finding it hard to get at information more detailed than "It's more secure because it uses modern chips instead of old-fashioned magnetic stripes. And you have a number. Aren't numbers cool?" In particular, stuff like how the card verifies the PIN, whether it locks you out after X attempts, and so forth. --Edwin

See the [EMV specifications]; in particular, the [CPA]. I couldn't tell you which particular sections apply to current ChipAndPin implementations, but industry contacts assure me they have, to date, been selected for cost rather than security reasons. Note, for instance, that account and PIN details are available in the clear to anyone intercepting card<->terminal traffic in the case of SDA. - MoonShadow

Thanks. It's... rather a lot of information, but I've been skimming. It does kind of give me the feeling that the specification is saying "you can do things securely if you want, but don't feel you have to", and your comment doesn't exactly inspire great confidence. --Edwin

My bank let me transfer 10k. With a chip and a pin. Whilst I might be persuaded that this is a sufficient audit trail for 250 quid, for that amount it is clearly unacceptable. Are any banks not planning to allow this sort of rubbish? --Vitenka (Oh, and they needed the card twice, once for that and once to pay in a cheque. Competence reigns.)